Enroll and provision a device

Device enrollment and provisioning refers to the process of binding a device to an enterprise, setting it up, and applying policy settings to the device. Before attempting to enroll and provision a device, ensure that the device:

  • Is running Android 5.1 or above.
  • Is new or has been factory reset.
  • Has Google Play installed.

Create an enrollment token

Android Management overview.
Figure 1. Create a token that enrolls and applies "policy1" to devices. After 1800 seconds (30 minutes), the token expires.

You need an enrollment token for each device that you want to enroll (you can use the same token for multiple devices). To request an enrollment token, call enterprises.enrollmentTokens.create. Tokens expire after one hour by default. You can specify a custom expiration time (duration) up to 30 days. To apply a policy to a device at the time of enrollment, specify the policyName in the request.

After creating an enrollment token, you can provision a device using the QR code or NFC method. If neither of these methods are available, it’s possible to provision the device manually.

QR code method

Recommended for Android 7.0+ devices.

QR codes work as an efficient device provisioning method for enterprises that maintain many different policies. The QR code provisioning method sets up and configures devices by scanning a QR code from the setup wizard. The QR code contains a payload of key-value pairs containing an enrollment token and all information that’s needed for Android Device Policy to provision a device.

When you create an enrollment token using enterprises.enrollmentTokens.create, the qrCode field included the response contains a recommended QR code bundle.

Example QR code bundle

Note that the bundle includes the download location of Android Device Policy and an enrollment token.

    "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
    "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
    "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup",
    "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "{enrollment-token}"}

You can use the bundle directly or customize it. For a full list of properties that you can include in a QR code bundle, see the Android EMM Developers documentation. Use a QR code generator to create your QR code and display it to enterprise admins during the device provisioning process:

  1. On a new or factory-reset device, the user taps the screen six times in the same spot. This triggers the device to prompt the user to scan a QR code.
  2. The user scans the QR code that you display in your management console (or similar application) to enroll the device.

NFC method

Suitable for Android 5.1+ devices that support NFC.

With the NFC provisioning method, you create an NFC programmer app that contains the enrollment token, initial policies and Wi-Fi configuration, settings, and all other provisioning details required by your customer to configure a device. When you or your customer install the NFC programmer app on an Android device, that device becomes the programmer device.

For detailed guidance on how to support the NFC method, see the Android EMM Developers documentation. The site also includes sample code of the default parameters pushed to a device on an NFC bump. To install Android Device Policy, set the download location of the device admin package to:


Manual method

Suitable for Android 6.0+ devices

If Android Device Policy can't be added via QR code or NFC, the user can download it manually by entering afw#setup in the setup wizard. To enroll the device, the user can either enter the enrollment token manually or scan a QR code containing the enrollment token.

  1. The user follows the setup wizard on a new or factory-reset device.
  2. The user enters Wi-Fi login details to connect the device to the internet.
  3. When prompted to sign in, the user enters afw#setup, which downloads Android Device Policy.
  4. The user scans the QR code (containing an enrollment token) to enroll the device. If this isn't possible, the user can enter the enrollment token manually.

Enroll a device without a policy

If a device is enrolled without a valid policy, then the device is placed into quarantine. Quarantined devices are blocked from all device functions until the device is linked to a policy.

If a device is not linked to a policy in five minutes, then device enrollment fails and the device is factory reset. The quarantine device state gives you the opporunity to implement licensing checks or other enrollment validation processes as part of your solution.

Example licensing check workflow

  1. A device is enrolled without a default policy or specific policy.
  2. Check how many licenses the enterprise has remaining.
  3. If there are licences available, use devices.patch to attach a policy to the device, and then decrement your license count. If there are no licenses available, use devices.patch to disable the device. Alternatively, the API factory resets any device that is not attached to a policy within five minutes of enrollment.

Send feedback about...

Android Management API (beta)
Android Management API (beta)